Feeling lost? Why don't you come and get quotes from the wise?MD5 (quotes.tar.gz) = 3ba36e72cb0ee2186745673475de8cf7
/shareendpoint we can submit a URL for the admin bot to visit.
/quoteWebSockets endpoint - as long as we satisfy the following conditions:
authcookie is set at the
/authendpoint when the request is made locally by the admin bot.
ws.originprovided - afterall,
geventis the one providing the necessary information in the WSGI environment.
ws.originvalue corresponds to that of the
Originheaders (this would be quite interesting), there is no way around our exploit page's origin needing to start with
localhostand submitted to
We like cat, so don't abuse it please =(
?f=GET request parameter, we can run commands on the server. One problem though - the regex filter is more than a little restrictive.
cat /?tc/???t?, we could read the
cat /????????yielded this very interesting-looking binary. At first glance, it contained the string
readflag.c, so we could guess that this binary is probably called
readflagand it runs with elevated permissions to read a flag file somewhere (so that we need RCE instead of simple file reading)
sRPd45w_0as an argument (
argv) in order to read the flag. This was the result of rearranging the letters in the string
|character is allowed, we are able to use piping to terminate the
catcommand and start a new command. For example, using
?f=| /??a???a?will translate to
cat | /??a???a?, which runs the
P4s5_w0Rdis in the binary. If we could run
stringson the binary, somehow extract only the password string, and rearrange the letters, we could use command substitution to pass the correct password as an argument.
P4s5_w0Rdstring. I came across this writeup of a similar command injection challenge where the author used
/etc/alternatives/nawkto filter output using regex, so I decided to try something similar.
]are very useful. This allowed me to construct a regex that leaves only the password string.
/???/???/?t????? /???????? | /???/a?t???a?????/?a?? /[.-t][.-a][.-t][.-a][!-a].[.-a][.-t][c-t]/, we can get the
$(), but this will yield "Wrong Password!".
sRPd45w_0. It would be great if we could get characters of the string at specified indices - it sure is nice that a
cutcommand exists for this very purpose!
/???/???/c?t -cX, we will get the character of the string at index X.
$?is one of the special parameters in bash, containing the exit status code of the previous command. If the exit code is non-zero, then
$? / $?will yield
$? / $? -- $? / $?will yield
2, and so on. If the exit code is zero, this method will lead to a division by zero error.
(a || /???/???/c?t -c$(($? / $?))).